IntroductionSecurity Background Commonly used Encryption Algorithms Traditional modes of operationConfidential Data storage Software based Confidential Data Storage Hardware based Confidential Data StorageDeletionConclusion
What is the need of storing the data in a confidential manner?Cost of electronic storage declines rapidly. Theft of electronic storage occurred much more frequently.Sensitive information stored in an insecure manner is vulnerableto theft. Two major components exist to safeguard the privacy of data onelectronic storage media :Data must be stored in a confidential manner to preventunauthorized access.At the time of disposal, confidential data must be removed fromthe storage media
The general concept of secure handling of data is composed ofthree aspects:Confidentiality- involves ensuring that information is not read byunauthorized persons.Using encryption- to store data or authenticating valid users areexample means by which confidentiality is achieved.Integrity- ensures that the information is not altered byunauthorized persons . To verify- Combine a message authenticationcode with sensitive data. Many techniques of confidential storageand deletion involve cryptography: Commonly Used Encryption Algorithms Traditional Modes of Operation
Encryption -used in cryptography “to scramble information sothat only someone knowing the appropriate secret can obtain theoriginal information (through decryption)”.The secret is often a key of n random bits of zeros and ones.Common symmetric key encryption algorithms : the DataEncryption Standard (DES), Triple-DES (3DES), and the AdvancedEncryption Standard (AES). DES-a key size of 56 bits and a block size of 64 bits.Criticism-56-bit keylength is too short. With newer CPUs, the key space of 256 can beenumerated.3DES-built to enlarge the DES key space. Criticism-the key space to 2168,but the strength of 3DES is only twice as strong as DES.AES-block length of 128 bits and supports key lengths of 128, 192, and 256bits.
Electronic Codebook(ECB)- is the simplest mode of operation, and does notuse an IV(initialization vector) .With a key, Pi as the ith block of plaintext, and Ci asthe ith block of cipher text, the encryption is performed as Ci = Ekey (Pi), anddecryption is performed as Pi = Dkey (Ci). cipher-block-chaining (CBC)Cipher-Block-Chaining (CBC)-slightly more complicated and uses an IV,Encryption of the first block of plaintext is performed as C1 =Ekey (P1 Å IV), whereC1 is the 1st block of cipher text; IV is the random, non-secret initialization vector;and P1 is the 1st block of plaintext. Subsequent blocks of plaintext are encrypted asCi = Ekey (Pi Å Ci-1). In the same manner, the first block of cipher text is decryptedas P1 = Dkey (C1) Å IV, and the subsequent blocks of cipher text are decrypted asPi = Dkey (Ci) Å Ci-1. Contd…
Mode of Encryption Performance Decryption performanceoperationECB Good: ECB do not depend on Good: ECB do not depend on previous previous blocks. Multiple blocks blocks. Multiple blocks can be encrypted can be encrypted and decrypted in and decrypted in parallel. parallelCBC Poor: CBC ciphertext equires the Good: CFB and CBC decryption of one block previous ciphertext block as input. requires only one previous ciphertext block In the case of updates,CBC require as input. Multiple blocks can be decrypted re-encrypting the remainder of a in parallel. file, since all subsequent ciphertext blocks depend on the current ciphertext block. Thus, encryption is not parallized.
Confidential storage methods are difficult to implement forreasons including complexity of method setup, difficulty ofconversion of prior methods to new secure methods, training, keymanagement, and password. Here it shows the storage path for UNIX –based and WINDOWS operating system. Both UNIX and WINDOWS share one-to-one mapping.
Requires no hardware.Each solution has its strengths and limitations with regard to levelof confidentiality, ease-of-use, performance and the flexibility toset policies. Example of Software based confidential data storage is :Generalized Encryption Programs-can encrypt and decryptfiles using variety of ciphers and encryption modes.Flexibility-Changing Security Polices.User model-Invoke the programs with necessary key/password.Performance-Slower because can’t take full advantage of VFS.
Differ from software ones :Cryptographic functionality is either hard-coded into the hardwareor into an external specialty device.More Rigid and User cannot change authentication mechanisms.Much faster than any software.Example : Secure Flash Drives.Cannot be Reconfigured to meet changes in confidential policy.
A full secure data lifecycle implies that data is not only stored securely, but deleted in a secure manner as well. Confidential data deletion can be accomplished in 3 ways: Physical Destruction: Pulverization, Acid bath. Data Overwriting: software applications-Overwrite the contents of a file,delete thefile normally, and then overwrite all free space in the partition,erasethe entire partition or disk.file systems-FoSgen [Joukov et al. 2006] and Purgefs [Joukov andZadok 2005], which are stackable file systems built in FiST [Zadokand Nieh 2000]. Encryption with key erasure : It is best to delete the encryption key(s) securely through physical destruction or overwriting methods
By compiling experiences and constraints of variousconfidential storage and deletion techniques, we hope thatknowledge from research areas that have been evolvingindependently can cross disseminate, to form solutions that aretolerant to a broader range of constraints.